Statistics Canada caught the intrusion before any data was stolen, Reuters reports. As a precaution, the country also shut down its revenue agency website, used for filing tax returns, on March 10.

John Glowacki, chief operating officer of Shared Services Canada - the federal government's IT service provider - said during a March 13 technical briefing for reporters that affected sites were fixed and restored by March 12, Reuters reports. He also claimed that other countries "are actually having greater problems with this specific vulnerability," although did not name the countries.

CRA is pleased to report that all of its digital services were returned to service on Sunday, March 12.

Apache Struts is open-source software that is used for building and maintaining Java web applications. Airlines, car rental firms, e-commerce shops, social networks and government agencies are among the many types of organizations that use it.

Even before this flaw was discovered, attackers were regularly searching for web applications that include built-in Apache Struts functionality, then attempting to exploit Struts, the security firm Imperva warned in early January.

"Attackers launch reconnaissance attacks on a variety of web applications to find one that is not patched," Ajay Uggirala and Gilad Yehudai of Imperva write in a blog post. "This tactic is very effective."

Since 2010, Apache Struts has had 68 other remote code execution vulnerabilities, Mia Joskowicz and Nadav Avital of Imperva write in a March 13 blog post. "This is yet another incident that adds up to a long list of vulnerabilities in this framework," they say of the new zero-day Struts 2 flaw.

Warning: Patch Now

The Apache Software Foundation issued a patch for that flaw on March 8, advising users to update to Struts version 2.3.32 or 2.5.10.1.

The problem, CVE-2017-5638, exists in a Struts feature called the Jakarta Multipart parser, which is used to upload files. The flaw could allow an attacker to craft a malicious Content-Type value within an HTTP request, which would cause the software to throw an exception, Tom Sellers of the security company Rapid7 writes in a blog post.

"When the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of displayed," he writes. No authentication credentials are required to launch the attack.

Attacks Ongoing

Imperva's researchers write that they've seen several thousand attacks between March 7 and March 12 originating from 1,323 IP addresses in 30 countries.

Security experts expect the flaw to be widely exploited. Shortly after the flaw was announced, Rapid7 began monitoring for attempts to exploit the vulnerability across a network of honeypots it has within five major cloud services providers and across other private networks (see Scans Confirm: The Internet is a Dump).

Rapid7 says the first malicious requests attempting to exploit the flaw were spotted on March 7. The next day, Rapid7 caught a sample of the Linux malware installed using the vulnerability, a type of distributed denial-of-service application called XOR DDoS.

Cisco's Talos research group has also spotted a more aggressive attack campaign that exploits the Struts 2 vulnerability. It starts by trying to disable a Linux firewall, then tries to deliver payloads ranging from an IRC bouncer to other botnet and denial-of-service code.

"Patching this flaw should be your top priority right now," says Johannes Ullrich, dean of research for the SANS Technology Institute, in a recent SANS newsletter. "We have observed exploit attempts shortly after the flaw became known. Exploitation is trivial and tools to exploit this problem are readily available."

Ullrich adds that organizations should inventory all applications for any potential use of Struts 2 functionality because "Struts can be a component of many Java-based web applications," including JBoss and HipChat.

About the Author

Jeremy Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;